SMC Networks Router SMCWBR14-N User Manual
Have a look at the manual SMC Networks Router SMCWBR14-N User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 10 SMC Networks manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
38 Advanced_WEB Filter This section is where you add the Web sites to be used for Access Control. The Web sites listed here are used when the Web Filter option is enabled in Access Control. The Web Filter section is one of two means by which you can specify the web sites you want to allow. You also have the alternative of using the Sentinel Parental Controls Service, which allows you to specify broad categories of web sites and saves you the trouble of entering specific web site URLs. For more information about the Sentinel service, refer to Tools → Sentinel. Web Filter Parameters Web Site Enter the address of the web site that you want to allow; for example: google.com. Do not enter the http:// preceding the address. Enter the most inclusive domain; for example, enter u-media.com and access will be permitted to both www.u-media.com and support.u-media.com. Many web sites construct pages with images and content from other web sites. Access will be forbidden if you do not enable all the web sites used to construct a page. For example, to access my.yahoo.com, you need to enable access to yahoo.com, yimg.com, and doubleclick.net. Add/Edit Web Site This is where you can add Web sites to the Allowed Web Site List or change entries in the Allowed Web Site List.
39 Enable Entries in the Allowed Web Site List can be activated or deactivated with this checkbox. New entries are activated by default. Save Saves the new or edited Allowed Web Site in the following list. When finished updating the Allowed Web Site List, you must still click the Save Settings button at the top of the page to make the changes effective and permanent. Allowed Web Site List The section lists the currently allowed web sites. An allowed web site can be changed by clicking the Edit icon, or deleted by clicking the Delete icon. When you click the Edit icon, the item is highlighted, and the Edit Web Site section is activated for editing.
40 Advanced_MAC Address Filter The MAC address filter section can be used to filter network access by machines based on the unique MAC addresses of their network adapter(s). It is most useful to prevent unauthorized wireless devices from connecting to your network. A MAC address is a unique ID assigned by the manufacturer of the network adapter. Enable MAC Address Filter When this is enabled, computers are granted or denied network access depending on the mode of the filter. Misconfiguration of this feature can prevent any machine from accessing the network. In such a situation, you can regain access by activating the factory defaults button on the router itself. Filter Settings Mode When only allow listed machines is selected, only computers with MAC addresses listed in the MAC Address List are granted network access. When only deny listed machines is selected, any computer with a MAC address listed in the MAC Address List is refused access to the network. Filter Wireless Clients When this is selected, the MAC address filters will be applied to wireless network clients.
41 Filter Wired Clients When this is selected, the MAC address filters will be applied to wired network clients. Add/Edit MAC Address In this section, you can add entries to the MAC Address List below, or edit existing entries. Enable MAC address entries can be activated or deactivated with this checkbox. MAC Address Enter the MAC address of the desired computer or connect to the router from the desired computer and click the Copy Your PC’s MAC Address button. Save Saves the new or edited MAC Address entry in the following list. When finished updating the MAC Address List, you must still click the Save Settings button at the top of the page to make the changes effective and permanent. MAC Address List The section lists the current MAC Address filters. A MAC Address entry can be changed by clicking the Edit icon, or deleted by clicking the Delete icon. When you click the Edit icon, the item is highlighted, and the Edit MAC Address section is activated for editing.
42 Advanced_Firewall The router provides a tight firewall by virtue of the way NAT works. Unless you configure the router to the contrary, the NAT does not respond to unsolicited incoming requests on any port, thereby making your LAN invisible to Internet cyber attackers. However, some network applications cannot run with a tight firewall. Those applications need to selectively open ports in the firewall to function correctly. The options on this page control several ways of opening the firewall to address the needs of specific types of applications. See also Virtual Server , Port Forwarding, Application Rules, and UPnP for related options.
43 Firewall Settings Enable SPI SPI (stateful packet inspection also known as dynamic packet filtering) helps to prevent cyber attacks by tracking more state per session. It validates that the traffic passing through that session conforms to the protocol. When the protocol is TCP, SPI checks that packet sequence numbers are within the valid range for the session, discarding those packets that do not have valid sequence numbers. Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that each TCP packets flags are valid for the current state. NAT Endpoint Filtering The NAT Endpoint Filtering options control how the routers NAT manages incoming connection requests to ports that are already being used. Endpoint Independent Once a LAN-side application has created a connection through a specific port, the NAT will forward any incoming connection requests with the same port to the LAN-side application regardless of their origin. This is the least restrictive option, giving the best connectivity and allowing some applications (P2P applications in particular) to behave almost as if they are directly connected to the Internet. Address Restricted The NAT forwards incoming connection requests to a LAN-side host only when they come from the same IP address with which a connection was established. This allows the remote application to send data back through a port different from the one used when the outgoing session was created. Port And Address Restricted The NAT does not forward any incoming connection requests with the same port address as an already establish connection. Note that some of these options can interact with other port restrictions. Endpoint Independent Filtering takes priority over inbound filters or schedules, so it is possible for an incoming session request related to an outgoing session to enter through a port in spite of an active inbound filter on that port. However, packets will be rejected as expected when sent to blocked ports (whether blocked by schedule or by inbound filter) for which there are no active sessions. Port and Address Restricted Filtering ensures that inbound filters and schedules work precisely, but prevents some level of connectivity, and therefore might require the use of port triggers, virtual servers, or port forwarding to open the ports needed by the application. Address Restricted Filtering gives a compromise position, which avoids problems when communicating with certain other types of NAT router (symmetric NATs in particular) but leaves inbound filters and scheduled access working as expected. UDP Endpoint Filtering Controls endpoint filtering for packets of the UDP protocol. TCP Endpoint Filtering
44 Controls endpoint filtering for packets of the TCP protocol. DMZ Host DMZ means Demilitarized Zone. If an application has trouble working from behind the router, you can expose one computer to the Internet and run the application on that computer. When a LAN host is configured as a DMZ host, it becomes the destination for all incoming packets that do not match some other incoming session or rule. If any other ingress rule is in place, that will be used instead of sending packets to the DMZ host; so, an active session, virtual server, active port trigger, or port forwarding rule will take priority over sending a packet to the DMZ host. (The DMZ policy resembles a default port forwarding rule that forwards every port that is not specifically sent anywhere else.) The router provides only limited firewall protection for the DMZ host. The router does not forward a TCP packet that does not match an active DMZ session, unless it is a connection establishment packet (SYN). Except for this limited protection, the DMZ host is effectively outside the firewall. Anyone considering using a DMZ host should also consider running a firewall on that DMZ host system to provide additional protection. Packets received by the DMZ host have their IP addresses translated from the WAN-side IP address of the router to the LAN-side IP address of the DMZ host. However, port numbers are not translated; so applications on the DMZ host can depend on specific port numbers. The DMZ capability is just one of several means for allowing incoming requests that might appear unsolicited to the NAT. In general, the DMZ host should be used only if there are no other alternatives, because it is much more exposed to cyber attacks than any other system on the LAN. Thought should be given to using other configurations instead: a virtual server, a port forwarding rule, or a port trigger. Virtual servers open one port for incoming sessions bound for a specific application (and also allow port redirection and the use of ALGs). Port forwarding is rather like a selective DMZ, where incoming traffic targeted at one or more ports is forwarded to a specific LAN host (thereby not exposing as many ports as a DMZ host). Port triggering is a special form of port forwarding, which is activated by outgoing traffic, and for which ports are only forwarded while the trigger is active. Few applications truly require the use of the DMZ host. Following are examples of when a DMZ host might be required: • A host needs to support several applications that might use overlapping ingress ports such that two port forwarding rules cannot be used because they would potentially be in conflict. • To handle incoming connections that use a protocol other than ICMP, TCP, UDP, and IGMP (also GRE and ESP, when these protocols are enabled by the PPTP and IPSec ALGs ). Enable DMZ Putting a computer in the DMZ may expose that computer to a variety of security risks. Use of this option is only recommended as a last resort. DMZ IP Address Specify the LAN IP address of the LAN computer that you want to have unrestricted Internet communication. If this computer obtains its address Automatically using DHCP,
45 then you may want to make a static reservation on the Basic → Network Settings page so that the IP address of the DMZ computer does not change. Non-UDP/TCP/ICMP LAN Sessions When a LAN application that uses a protocol other than UDP, TCP, or ICMP initiates a session to the Internet, the routers NAT can track such a session, even though it does not recognize the protocol. This feature is useful because it enables certain applications (most importantly a single VPN connection to a remote host) without the need for an ALG. Note that this feature does not apply to the DMZ host (if one is enabled). The DMZ host always handles these kinds of sessions. Enable Enabling this option (the default setting) enables single VPN connections to a remote host. (But, for multiple VPN connections, the appropriate VPN ALG must be used.) Disabling this option, however, only disables VPN if the appropriate VPN ALG is also disabled. Application Level Gateway (ALG) Configuration Here you can enable or disable ALGs. Some protocols and applications require special handling of the IP payload to make them work with network address translation (NAT). Each ALG provides special handling for a specific protocol or application. A number of ALGs for common applications are enabled by default. PPTP Allows multiple machines on the LAN to connect to their corporate networks using PPTP protocol. When the PPTP ALG is enabled, LAN computers can establish PPTP VPN connections either with the same or with different VPN servers. When the PPTP ALG is disabled, the router allows VPN operation in a restricted way -- LAN computers are typically able to establish VPN tunnels to different VPN Internet servers but not to the same server. The advantage of disabling the PPTP ALG is to increase VPN performance. Enabling the PPTP ALG also allows incoming VPN connections to a LAN side VPN server (refer to Virtual Server). IPSec (VPN) Allows multiple VPN clients to connect to their corporate networks using IPSec. Some VPN clients support traversal of IPSec through NAT. This option may interfere with the operation of such VPN clients. If you are having trouble connecting with your corporate network, try disabling this option. Check with the system administrator of your corporate network whether your VPN client supports NAT traversal. Note that L2TP VPN connections typically use IPSec to secure the connection. To achieve multiple VPN pass-through in this case, the IPSec ALG must be enabled. RTSP Allows applications that use Real Time Streaming Protocol to receive streaming media from the internet. QuickTime and Real Player are some of the common applications using this protocol. Windows/MSN Messenger Supports use on LAN computers of Microsoft Windows Messenger (the Internet messaging client that ships with Microsoft Windows) and MSN Messenger. The SIP ALG
46 must also be enabled when the Windows Messenger ALG is enabled. FTP Allows FTP clients and servers to transfer data across NAT. Refer to the Advanced → Virtual Server page if you want to host an FTP server. H.323 (Netmeeting) Allows H.323 (specifically Microsoft Netmeeting) clients to communicate across NAT. Note that if you want your buddies to call you, you should also set up a virtual server for NetMeeting. Refer to the Advanced → Virtual Server page for information on how to set up a virtual server. SIP Allows devices and applications using VoIP (Voice over IP) to communicate across NAT. Some VoIP applications and devices have the ability to discover NAT devices and work around them. This ALG may interfere with the operation of such devices. If you are having trouble making VoIP calls, try turning this ALG off. Wake-On-LAN This feature enables forwarding of magic packets (that is, specially formatted wake-up packets) from the WAN to a LAN computer or other device that is Wake on LAN (WOL) capable. The WOL device must be defined as such on the Advanced → Virtual Server page. The LAN IP address for the virtual server is typically set to the broadcast address 192.168.2.255. The computer on the LAN whose MAC address is contained in the magic packet will be awakened. MMS Allows Windows Media Player, using MMS protocol, to receive streaming media from the internet.
47 Advanced_Inbound Filter When you use the Virtual Server, Gaming, or Remote Administration features to open specific ports to traffic from the Internet, you could be increasing the exposure of your LAN to cyber attacks from the Internet. In these cases, you can use Inbound Filters to limit that exposure by specifying the IP addresses of internet hosts that you trust to access your LAN through the ports that you have opened. You might, for example, only allow access to a game server on your home LAN from the computers of friends whom you have invited to play the games on that server. Inbound Filters can be used for limiting access to a server on your network to a system or group of systems. Filter rules can be used with Virtual Server, Gaming, or Remote Administration features. Each filter can be used for several functions; for example a Game Clan filter might allow all of the members of a particular gaming group to play several different games for which gaming entries have been created. At the same time an Admin filter might only allows systems from your office network to access the WAN admin pages and an FTP server you use at home. If you add an IP address to a filter, the change is effected in all of the places where the filter is used.